Epic Games forums breached, salted passwords nabbed

Unreal Engine chathaus had unbelievably bad security

Information on some 808,000 Unreal Engine and Unreal Tournament forum accounts, including email addresses, birth dates, and private messages, have been stolen from Epic Games.

The games company says passwords were not compromised on the Unreal forums so account resets are not necessary.

Salted passwords were breached for accounts active since July last year used on older game forums including legacy Unreal Tournament titles, Gears of War, and Infinity Blade.

"We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext," Epic Games says in a statement.

"While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere.

"These forums remain online and no passwords need to be reset."

The breach occurred thanks to an SQL injection hole in an outdated version of vBulletin, ZDNet reports.

Facebook tokens have also been reportedly lifted for those who used the social network to sign in.

Email and password repository LeakedSource revealed the breach adding to its nearly two billion breached accounts across a variety of important and non-critical sites.

Password best practice is subject to debate. If advice from boffins at Microsoft and Google is followed, passwords should be pronounceable, rather than set to the typical recommended jumble of numbers, special characters, and letters as such scrambles are difficult for users to recall.